Cyber risks are a major concern for management and boards and remain noteworthy to investors and company stakeholders. Breaches, ransomware, malware, and other attacks are increasing, and the risk curve continues to go up.
As breaches become more pervasive and threaten shutdowns of company operations, there is greater urgency for companies and auditors to be aware of and head off these risks.
At the annual AICPA CIMA Conference on Current Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board developments in December, a panel of experts shared perspectives regarding the criticality of cybersecurity risks, what the response of management and boards should be, and how proposed disclosure requirements need to be incorporated into cyber-related responsibilities.
Charles Seets, principal, Americas assurance at EY, called cyber risk “the risk of this decade.”
“When you think about cyber, make sure you think of it as the risk that can shut you down,” he said. “It can stop [auditors] from auditing, it can stop [companies] from producing products or services, and it can shut the lights off if bad actors get into our networks.”
Seets noted January marked the 40th anniversary of the creation of the internet, but security is still trying to catch up. A growing number of digital applications are in place that were never on the radar, with a much larger attack surface than anyone initially contemplated.
Pedro Cordero, founder and principal of Hacking the Cyber Threat and a retired Federal Bureau of Investigation specialist in cyber and counterterrorism, noted breaches cost organizations an average of $9.5 million. This includes lost revenues and cash flows, higher costs, lost customers, lost network infrastructure, technology upgrades, loss of protected customer and employee information, increased legal and regulatory liabilities, and reputational risk.
Three things he said keeps him up at night included:
- Attacks on critical infrastructure. The May 2021 ransomware attack on Colonial Pipeline shut down its digital systems for days and affected consumers and airlines on the East Coast that could not purchase gas. It was considered a national security threat but could have been much worse if the pipeline’s operational technology that moves oil was impacted.
- Shortage of cyber talent. Cordero cited a statistic that, as of December 2022, there were 3.5 million cyber job openings around the world, with 770,000 in the United States. As a result, companies might have to build and train talent organically.
- Increasing sophistication of cyberattacks that can go undetected for a significant period. An example is Russian hacker attacks on U.S. federal government agency servers.
How to prepare
David Hirsch, chief of the SEC Division of Enforcement’s Crypto Assets and Cyber Unit, recommended companies identify a scale of cyber vulnerabilities and risks they face. By bringing the analysis down to specific potential business risks and experiences and tailoring a program to address them, they are less likely to be overwhelmed by the issue’s scale.
Hirsch stressed the importance of an enterprise-wide approach to cybersecurity—not just a few technical experts making the decisions (and disclosures). Accountants can be helpful in applying their knowledge of systems, access controls, and processes to cyber concepts.
“When you think about cyber, make sure you think of it as the risk that can shut you down.”
Charles Seets, Principal, Americas Assurance, EY
Cordero advised companies have a robust cyber risk management program that includes data, including use of the cloud; networks; and operational technologies. Each area must have unique “intrusion vectors.” He recommended management have a “trust-but-verify function” over what their chief information officer or third-party cybersecurity vendors are reporting and use internal auditors to assess cyber risk management programs and provide additional reporting verification.
To meet cyber risk management oversight responsibilities, boards and executive management must develop cybersecurity expertise, especially with proposed regulations coming. Cordero recommended foundational cyber leadership training for executives and business unit teams, regular cyber training for professional staff, and continuous security awareness training for all employees throughout the year. He also suggested companies perform an annual assessment of their cyber risk management programs and commit financial resources to remediate any gaps.
In a recent report, KPMG noted technology, media, and telecom companies are preparing for increased cyberattacks in the coming year because they are especially vulnerable to losses (e.g., intellectual property, customer records, networks, reputation, and profits) and already under intense public scrutiny. The report identified these actions for boards to take to mitigate cyber risks:
- Monitor management’s cybersecurity preparedness, including identifying risks and opportunities, having a crisis response plan in place, implementing dashboard reporting, and assessing talent.
- Keep an eye on regulatory actions and increase focus on new financial reporting requirements and audit committee oversight, along with who within the company will monitor compliance.
- Assess all areas where data could be vulnerable. Understand cybersecurity comes under the umbrella of data governance and data ethics.
Existing SEC rules require companies that have a cyber event to disclose timely the financial impacts and potential future effects. The agency proposed amended rules in March 2022 that would mandate increased standard cybersecurity disclosures for all public companies, including reporting material incidents no later than four business days after they occur. The proposed rules are still under review.
Hirsch shared a goal of the proposal is to normalize robust disclosure of cyber events. The SEC anticipates companies will be less reluctant to make disclosures when others in their industry, including competitors, are making similar disclosures more often.
The proposed rules emphasize materiality, but materiality depends on specific circumstances.
“Quantitative disclosure is appealing because we like to measure things,” Hirsch said. But companies need to think about both quantitative and qualitative disclosures, which include the direct impact and magnitude of a cyber event and the connection between them. He shared the example of the theft of one company laptop not being quantitatively material, unless the laptop belongs to the chief executive officer, the holder of a company patent, or contains the private key to its crypto assets.
Investors need accurate and timely disclosures to price for risks within an industry and across industries. Companies must provide information detailed enough for investors to consider what the risks are and whether the business is prepared to respond to a cyber event.
Hirsch cited the example of a 2021 SEC case where the agency fined an educational software company that allegedly knew it was the victim of a breach that included the theft of millions of student records with protected personal information. The company allegedly disclosed the event as if it were hypothetical and indicated it had procedures in place it did not.
It is important to have an enterprise-wide approach so those making disclosures are aware of the company’s risk profile and strategic events. A disclosure challenge for companies is to be mindful about providing sensitive customer or vendor information or revealing company strengths and weaknesses related to cybersecurity preparedness that can make them more vulnerable.
“There is some internal tension with enforcement related to cybersecurity events,” Hirsch said. He noted regulators are obligated to protect investors and ensure cyber events are disclosed to the public for market protection, but there is also the risk of “revictimizing the entity that just suffered a significant impact of an attack.”
No comments yet